Protect Your Company’s Health: Cyber Coverage & Hygiene

As cybersecurity attacks occur every day, those organizations that are prepared before an attack are more likely to overcome a possible breach. Building a response plan, implementing security channels, and training employees can help mitigate cybersecurity risks and keep your company secure. This article presents types of coverages offered, different phishing attacks of which to be aware, and best practices for good cyber hygiene.

The Changing Landscape of Cyber Liability Requirements

The cyber liability insurance landscape has changed significantly over the past few years. Coverage is now largely a stand-alone insurance product rather than something that is embedded with other coverages. Though there is heightened scrutiny by insurance carriers, more organizations are realizing they need coverage or are being required by customers (similar to general liability insurance).

Additionally, the cyber liability requirements to maintain or receive cyber coverage have changed significantly in the last 12 months. Cyber insurance carriers continue to tighten their underwriting parameters and seek more detail to better understand the organization in which they are insuring, with a narrow focus on multi-factor authentication (MFA), network backup procedures, endpoint detection, and employee cyber awareness training (occurring at least annually).

Most insurance carriers will not provide an initial quote or a renewal without MFA being fully implemented on any remote connections such as email, virtual private network (VPN), and/or critical applications. A remote connection would be connecting to email, cloud-based programs, and servers in the office while on the jobsite.

While these requirements were already making their way into the mainstream for underwriting, they were accelerated once entire workforces migrated to working remotely, which created immediate security issues (unsecure home networks that connect back to the organization remotely) for IT and cybersecurity professionals. And, cyber insurance policies began responding so frequently that carriers are now facing record losses paying cyber claims.

Cyber criminals acted quickly, taking advantage of the human complacency and unsecured networks via remote connectivity that often creates vulnerabilities. Phishing attacks to initiate an email compromise also became easier for bad actors, as employees were unable to communicate and ask coworkers in the office if they also received a suspicious email.

These issues, the pandemic, remote working, and weak security practices have all resulted in a hard cyber market, higher premiums with less coverage, and more scrutiny of security controls and practices.

What Is Covered?

Today’s cyber coverage is no longer one-size-fits-all. Organizations now have a combination of coverage options to help protect against bad actors and security issues. Understanding the needs of your organization can allow you to add other coverages to your policy such as social engineering, reputational harm, and bricking (i.e., rendering computer equipment useless after a cyber incident).

In the current market, it’s not uncommon for insurance carriers to reduce coverage limits by half with the removal of specific coverages (such as ransom/extortion) as well as an increase in premium of 30-500%, mostly depending on the industry.

Insurance carriers are also utilizing external scanning tools that provide them with information on your external cybersecurity posture, formulating a risk score the carrier can use as a basis for whether to extend terms for coverage. The risk score is impacted by open ports, exposed vulnerabilities, exposed credentials, secure email gateway, and distributed denial-of-service (DDoS) protection not being implemented.

In the event of a cyber incident, cyber liability insurance covers a variety of costs, including:

  • The costs to notify customers affected, for recovering compromised data, and for repairing damaged computer systems
  • Lost income due to the cyber incident
  • Ransom demands
  • Denial of service
  • Forensic investigations
  • Public relations
  • Litigation expenses
  • Regulatory defense expenses/fines
  • Crisis management expenses

Cyber Liability Types

There are three types of cyber coverage: first-party (e.g., commercial property), third-party (e.g., general liability), and errors and omissions.

If you are a CFMA member login to continue reading this article. If you aren't a member yet and would like unlimited access to all of the content on cfma.org, plus a variety of other benefits, join CFMA today!